mirror
/
PHPMailer
mirror of https://github.com/PHPMailer/PHPMailer.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Backport changes for CVE-2018-19296

This commit is contained in:
Marcus Bointon 2018-11-15 23:27:24 +01:00
parent 44776b5648
commit f1231a9771
No known key found for this signature in database
GPG Key ID: DE31CD6EB646AA24
2 changed files with 40 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
class.phpmailer.php
View File

@ -1296,9 +1296,12 @@ class PHPMailer
// Sign with DKIM if enabled
if (!empty($this->DKIM_domain)
&& !empty($this->DKIM_selector)
&& (!empty($this->DKIM_private_string)
|| (!empty($this->DKIM_private) && file_exists($this->DKIM_private))
and !empty($this->DKIM_selector)
and (!empty($this->DKIM_private_string)
or (!empty($this->DKIM_private)
and self::isPermittedPath($this->DKIM_private)
and file_exists($this->DKIM_private)
)
)
) {
$header_dkim = $this->DKIM_Add(
@ -1463,6 +1466,18 @@ class PHPMailer
return true;
}
/**
* Check whether a file path is of a permitted type.
* Used to reject URLs and phar files from functions that access local file paths,
* such as addAttachment.
* @param string $path A relative or absolute path to a file.
* @return bool
*/
protected static function isPermittedPath($path)
{
return !preg_match('#^[a-z]+://#i', $path);
}
/**
* Send mail using the PHP mail() function.
* @param string $header The message headers
@ -1791,7 +1806,7 @@ class PHPMailer
// There is no English translation file
if ($langcode != 'en') {
// Make sure language file path is readable
if (!is_readable($lang_file)) {
if (!self::isPermittedPath($lang_file) or !is_readable($lang_file)) {
$foundlang = false;
} else {
// Overwrite language-specific strings.
@ -2499,6 +2514,8 @@ class PHPMailer
* Add an attachment from a path on the filesystem.
* Never use a user-supplied path to a file!
* Returns false if the file could not be found or read.
* Explicitly *does not* support passing URLs; PHPMailer is not an HTTP client.
* If you need to do that, fetch the resource yourself and pass it in via a local file or string.
* @param string $path Path to the attachment.
* @param string $name Overrides the attachment name.
* @param string $encoding File encoding (see $Encoding).
@ -2510,7 +2527,7 @@ class PHPMailer
public function addAttachment($path, $name = '', $encoding = 'base64', $type = '', $disposition = 'attachment')
{
try {
if (!@is_file($path)) {
if (!self::isPermittedPath($path) or !@is_file($path)) {
throw new phpmailerException($this->lang('file_access') . $path, self::STOP_CONTINUE);
}
@ -2691,7 +2708,7 @@ class PHPMailer
protected function encodeFile($path, $encoding = 'base64')
{
try {
if (!is_readable($path)) {
if (!self::isPermittedPath($path) or !file_exists($path)) {
throw new phpmailerException($this->lang('file_open') . $path, self::STOP_CONTINUE);
}
$magic_quotes = get_magic_quotes_runtime();
@ -3035,7 +3052,7 @@ class PHPMailer
*/
public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline')
{
if (!@is_file($path)) {
if (!self::isPermittedPath($path) or !@is_file($path)) {
$this->setError($this->lang('file_access') . $path);
return false;
}

16
test/phpmailerTest.php
View File

@ -787,6 +787,22 @@ class PHPMailerTest extends PHPUnit_Framework_TestCase
$this->assertTrue($this->Mail->send(), $this->Mail->ErrorInfo);
}
/**
* Rejection of non-local file attachments test.
*/
public function testRejectNonLocalFileAttachment()
{
$this->assertFalse(
$this->Mail->addAttachment('https://github.com/PHPMailer/PHPMailer/raw/master/README.md'),
'addAttachment should reject remote URLs'
);
$this->assertFalse(
$this->Mail->addAttachment('phar://phar.php'),
'addAttachment should reject phar resources'
);
}
/**
* Simple plain string attachment test.
*/